PHP :: Request #36341 :: Changes to combat mail form spam

Changes to combat mail form spam

Submitted:

2006-02-09 15:16 UTC

Modified:

2016-12-30 23:34 UTC

Votes:	15
Avg. Score:	4.9 ± 0.2
Reproduced:	13 of 13 (100.0%)
Same Version:	4 (30.8%)
Same OS:	4 (30.8%)

From:

paul at xciv dot org

Assigned:

Status:

Open

Package:

Mail related

PHP Version:

4.4.2

OS:

FreeBSD

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	paul at xciv dot org
New email:
PHP Version:		OS:

New/Additional Comment:

[2006-02-09 15:16 UTC] paul at xciv dot org

Description:
------------
I have two suggestions for modifications to help combat the problem of mail form spam.

Firstly I would like to see mail.force_extra_parameters back-ported to the 4.x branch - not everyone is ready to upgrade to 5.x in production yet.

Secondly I would like to suggest that environment variables from the PHP environment are exposed to the sendmail binary.

I will explain why this is useful.


Reproduce code:
---------------
With the mail.force_extra_parameters option, I can set different parameters per Apache vhost.

This can be very useful because I can set custom parameters like: -xs my.vhost.domain

How is this useful?  Well if I then set a new sendmail_path to my own custom wrapper script I can pick up these custom parameters and do two things:

1. Log the originating vhost, number of recipients etc.

2. Add an X-Header: in the mail detailing which vhost the mail originated from - before passing it to the real sendmail.

This allows me to track which vhost sent mail from the httpd!  So I can now track which vhost may have an insecure mail form if I get spam reports.  With say 100 vhosts this is *invaluable*.

My second suggestion would make this a lot easier and a lot more expandable.  If the PHP environment variables were exposed to sendmail then I could even pick up such details as the script filename etc and this would then not require the use of custom mail.force_extra_parameters.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-02-11 18:33 UTC] karl at kdawebservices dot com

Both excellant ideas. I also believe there is a patch out in the wild for PHP that automatically adds a X header with the vhost domain - Perhaps this should be incorporated (with an ini option to turn it on/off) along with adding the path to the script as an X header as well.

[2006-03-04 21:33 UTC] tim at globalgold dot co dot uk

I agree Paul's suggestion should be implemented.

[2006-03-06 16:11 UTC] simon at advantage-interactive dot com

Excellent suggestions, would help tracking back spam

[2006-03-08 19:59 UTC] richard at indigo3 dot net

An interesting idea. Well worth the investment in time and effort.

[2015-12-08 12:49 UTC] david at ols dot es

You can actually add custom parameters to sendmail using per vhost php_admin_value sendmail_path , nevertheless having the REMOTE_ADDR user ip address will be very helpful as it could be checked against spamhaus/cbl , also having REQUEST_URI available could help tracking problems.

Request #37989 is a similar one.

[2016-12-30 23:34 UTC] cmb@php.net

-Package: Feature/Change Request +Package: Mail related

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2021 The PHP Group All rights reserved.	Last updated: Thu Jul 29 16:01:24 2021 UTC